onasis-mcp-server

The server has critical security vulnerabilities. The '2025-08-23-PROGRESS-UPDATE.md' explicitly flags 'Authentication & Authorization Issues ⚠️' noting 'Current MCP implementation bypasses Core authentication entirely' and 'MCP calls database directly without proper JWT validation'. The `src/netlify/mcp.js` Netlify function hardcodes `organizationId: 'ADMIN_ORG'` and `userId: null`, allowing unauthenticated creation of memories and API keys. The `src/middleware/_middleware.js` includes a 'WARNING: Placeholder implementation - DO NOT DEPLOY TO PRODUCTION' for JWT validation. The `src/routes/emergency-admin.ts` creates an admin API key without login and warns to 'Remove this file after initial setup!'. Weak default `JWT_SECRET` and `EMERGENCY_BOOTSTRAP_TOKEN` values are present. The `EncryptionUtils` uses a hardcoded 'salt' which is a security anti-pattern. While `src/middleware/auth-aligned.ts` attempts to fix some authentication issues, the overall system, especially in its Netlify function deployments, is highly insecure and not safe for production as-is.